Introduction

The EU and United States Need to Repair and Reinforce the Digital Transatlantic Relationship

The Role and Value of Data Flows and Digital Trade in the Transatlantic Relationship

What’s at Stake: The Valuable Role of Transatlantic Data Flows Across Sectors

Policy Recommendations

Conclusion

Endnotes

Introduction

Cross-border data transfers—involving both personal and nonpersonal data—enable Firms of all sectors and sizes to engage in transatlantic commerce. Government agencies also need firms to be able to transfer data across borders as part of financial oversight, drug approval, law enforcement, counterterrorism, and other responsibilities. The European Union’s (EU) General Data Protection Regulation (GDPR) was supposed to bring a more predictable and harmonized approach to data protection within the EU and provide a range of tools for firms to transfer EU personal data overseas. Instead, successive court challenges have made it harder and more complex—and without political intervention, the situation will devolve into an irrevocably severed transatlantic digital relationship. EU and U.S. policymakers need to step in and avoid taking a narrow and legalistic approach to the challenges facing transatlantic data flows and instead build back better in terms of creating a new and efficient transatlantic data framework.

Transatlantic digital policy cooperation has faced a decade of turmoil—but it has never been as dire as now. For the second time, the EU’s top court (in the Schrems II case) invalidated the framework that manages transatlantic transfers of EU personal data (the EU-U.S. Privacy Shield), after finding that U.S. laws do not sufficiently protect data about EU citizens stored in the United States.^[1] The challenge for policymakers is to reconcile the EU’s data protection laws with U.S. surveillance policies and practices. Unfortunately, the current stalemate makes transatlantic data transfers increasingly difficult, if not impossible, and imperils other major transatlantic interests around commercial access to data for trade and innovation and government cooperation on law enforcement, national security, and regulatory issues.

It is impossible to fully localize any digital process, good, or service without some level of impact or disruption. The underlying data storage infrastructure does not necessarily rely on the ability to exchange data across borders, but the services built on it certainly do.

Potential legal challenges and restrictive policy proposals by the European Data Protection Board (EDPB) and others are raising concerns about whether firms will still be able to use standard contractual clauses (SCCs), which are the last broadly accessible legal tool for U.S. and EU firms to transfer EU personal data.^[2] Indicative of where this is heading, the EDPB has already issued guidance that “strongly encourages” EU institutions considering new contracts with service providers “to avoid processing activities that involve transfers of personal data to the United States.”^[3] Another major (and restrictive) policy reaction is making firms (no matter how big or small) responsible for assessing each storage destination’s surveillance and government access laws—and that the hypothetical potential for any data disclosure is reason enough to not transfer EU personal data. This is an unrealistic legal and practical threshold for firms to meet given it fails to account for the actual potential of government access and the difficulty in understanding different and constantly changing legal frameworks around the world.

Transatlantic data flows may be suddenly severed through another legal challenge or reduced over time as new restrictive requirements are defined and enforced against firms by the EDPB and individual EU member state data protection authorities. Within this challenge of rebuilding the transatlantic digital relationship, it is important to reinforce the central point that data transfers, data-driven innovation, and data protection are not mutually exclusive. Firms cannot undermine local data privacy, protection, and other related laws by transferring data to another country because they are held accountable for how they manage data, meaning local legal requirements travel with the data, regardless of where it is stored and processed.^[4] This contrasts with the European focus on the geography of data storage. Making international transfers of EU personal data increasingly difficult, costly, and legally uncertain leaves local data storage and processing as the only viable option, which is the end goal for many privacy advocates and policymakers in Europe. As it stands, the EU’s approach to data privacy is creating the world’s largest de facto data localization framework. The EU’s only peer is China’s broad and growing explicit data localization regime, with laws that make local data storage and processing the norm and transfers the exception. At some point, the pressure on U.S. policymakers to reciprocate with equally restrictive rules preventing EU firms such as Volkswagen, Phillips, Siemens, and Sanofi from transferring data from their U.S. operations to their EU headquarters will become significant enough to spur retaliatory action.

It is infeasible for firms to build out local human resources, management, research and development (R&D), regulatory compliance, and information technology (IT) and customer support services in each and every market that has local data storage requirements. Such requirements undermine the ability of all firms—especially globally engaged ones—to leverage the distributed power of the Internet and centralized IT systems to manage local, regional, and global business operations and compliance activities. It is impossible to fully localize any digital process, good, or service without some level of impact or disruption. While it may be technically possible for a company—particularly a large one—to fully localize data storage, there would be major disruptions and changes to the type and quality of services, as well as limits on the use of technologies such as artificial intelligence (AI) wherein algorithms improve with larger datasets. The underlying data storage infrastructure does not necessarily rely on the ability to exchange data across borders, but the services built on it certainly do.

Transatlantic data flows have enormous economic implications. Two-way EU-U.S. digital trade grew from an estimated $166 billion in 2005 to $292 billion in 2015. The sectoral case studies in this report show what is at stake. Despite the popular misconception that data flows only benefit search engines and social networks, severing transatlantic data flows would have wide-reaching impacts across the global economy. Yet, some EU policymakers think that restricting or cutting off data flows and digital trade with the United States is a good thing as it aligns with their “digital sovereignty” goals, believing that if it hurts leading U.S. tech firms, then it must be good—without realizing or appreciating the broader and much larger costs. This stance ignores the fact that doing so would also hurt the hundreds of European firms that used Privacy Shield and SCCs to manage data transfers between their headquarters and offices and operations in the United States.^[5] Unfortunately, this protectionist impulse is also evident in Europe’s ongoing effort to define its own digital economy framework, such as the European Commission’s data strategy and its Data Governance Act.^[6]

But the impact is not only trade and innovation-related—governments on both sides of the Atlantic depend on firms being able to transfer data as part of day-to-day regulatory requirements, whether for financial oversight of the banking, financial, and payments sectors (for financial stability, counter-terrorism financing, or anti-money-laundering purposes) or the review of clinical trials by respective public health agencies. This is obviously in addition to law enforcement and national security cooperation.

This report starts by outlining the history of the transatlantic digital relationship to show how both the EU and Unites States have continuously recognized the value in working together to address issues as they arise. However, this report also makes the case that this relationship should not be based on troubleshooting, but ideally, on a broader digital agenda, given both sides share many values and interests. It then analyzes estimates of the economic value of transatlantic digital trade, before providing a series of sectoral case studies to show how firms in a diverse range of sectors—from automotive and other advanced manufacturers to life sciences to consumer Internet services to financial and banking services—use transatlantic data flows.

Finally, this report provides recommendations to build a better, stronger, and broader transatlantic digital relationship:

1. Policymakers should negotiate a new Privacy Shield. Long term, the two sides could work toward legislation and a treaty agreement that would codify some of their commitments. In an ideal world, the United States and Europe would work together with like-minded countries to develop a “Geneva Convention for Data,” which would create consensus on issues around government access to data.
2. The EU should redouble efforts to build new data transfer mechanisms under GDPR. This would be in addition to the more immediate need to make existing legal tools (SCCs and binding corporate rules) clear, reasonable, and accessible.
3. The United States and EU should conclude negotiations to improve transatlantic access to electronic evidence for law enforcement investigations.
4. The EU and United States should build a broader agenda for pragmatic cooperation on data and digital policy issues—one based on “digital realpolitik.” Such cooperation would be economically beneficial to both sides given their extensive economic connections. Furthermore, while there are points of conflict, overall, their shared values stand in stark contrast to those of authoritarian digital powers such as China and Russia. Such an agenda could work on how to develop data sharing frameworks; develop and apply the appropriate regulation of AI, such as via algorithmic accountability; develop interoperable electronic identity systems; build pre-standardization cooperation for new and emerging technologies; develop a coordinated strategy to counter China’s efforts to unduly influence international standards setting for AI and digital policies; and cooperate and coordinate investment screening and export controls that increasingly deal with data and digital technologies.

The EU and United States Need to Repair and Reinforce the Digital Transatlantic Relationship

Despite constant pressure over the last decade—and as reactions to the Snowden revelations continue to reverberate—both the EU and United States have kept the transatlantic data and digital relationship going. Despite the challenges, there is largely bipartisan support in the United States for EU-U.S. digital engagement.

There was substantial continuity across the Obama and Trump administrations, which is likely to continue in the Biden administration. In 2014, President Obama issued presidential policy directive number 28 on “Signals Intelligence Activities,” which included safeguards for non-U.S. persons in signals intelligence.^[7] Privacy Shield was signed under President Obama, and was also supported by the Trump administration. The U.S. Federal Trade Commission enforced Privacy Shield throughout both administrations. Meanwhile, the U.S. Congress continues to debate a comprehensive U.S. data privacy bill that would no doubt improve the overall context for engagement with the EU. However, data privacy legislation would not address the fundamental disagreement over U.S. government surveillance that is at the heart of Schrems II.

Without political intervention, it is likely that transatlantic data transfers will eventually be cut off.

Given this, rebuilding a strong transatlantic relationship will require action on both sides. Most of the focus has been on the United States, which has already made changes to account for EU concerns and signaled its willingness to consider further changes. Yet, ongoing conflict over EU policy remains. The United States should take into consideration European concerns as it updates its laws and policies around government access to data and data protection. However, the EU should also consider policy and legal reforms to GDPR and other digital policies as part of constructive efforts to build both short- and long-term tools to address both new and ongoing issues regarding international data governance. EU member states also need to be consistent in addressing data privacy and surveillance issues. National security is not a European Commission or EU competency, so doing so will require EU member engagement. If the EU continues to take a largely hands-off approach about the need to address all related issue—not just privacy, but trade and national security—it will lead to ruin as it leaves privacy advocates, the EDPB, and the courts in the driver’s seat of a critically important part of the transatlantic relationship.^[8] Without political intervention, it is likely that transatlantic data transfers will eventually be cut off.

The stakes involved in building a successful transatlantic digital relationship are already high, but they grow even higher, given the many global debates about data and digital technologies. If the EU and United States want to truly work together on these issues—as the European Commission frequently calls for—they both need to show that they can address their own issues in a way that presents a model for other countries. Absent such an outcome, calls for transatlantic cooperation on global issues would be seen as meaningless.

The Role and Value of Data Flows and Digital Trade in the Transatlantic Relationship

Digital trade—including both digital and digitally enabled services—is an increasingly important component of the global economy. As the sectoral case studies show, cross-border transfers of data underpin virtually all business processes in international trade and investment.^[9]

Estimating the value of transatlantic data flows and digital trade is challenging.^[10] For example, approximating value by the aggregate volume of data transfers has significant limitations.^[11] The value of data depends on its content.^[12] Data is also highly context specific. An individual person’s data may be valuable to that person, but only hold broader value when aggregated with data from many other individuals and other sources of data. The value of data is temporal in that it may only become valuable when used as part of future analysis. Furthermore, some data flows may be non-monetized—representing intra-company transfers that are commercially valuable, but not captured in a formal transaction. Similarly, gross domestic product (GDP) and other economic statistics do not measure the value of consumer surplus, such as when consumers access digital goods and services at no financial cost.^[13] While estimating the value of the specific underlying data and its transfer is difficult, it is clear that continuous data aggregation and analysis by firms creates enormous value, in what the Organization for Economic Cooperation and Development (OECD) calls the “global data value cycle.”^[14]

While precise, comprehensive, and consistent measurement of the value of data and digital trade in and between the United States and EU is not yet possible, there are a range of estimates that support what we know anecdotally—that data and digital trade represent an important and fast-growing part of the global economy.^[15] In August 2020, the U.S. Department of Commerce’s report “New Digital Economy Estimates” calculated that the digital economy accounted for 9 percent of U.S. GDP in 2018, which ranked it just below the manufacturing sector (which accounted for 11.3 percent) and just above finance and insurance (7.6 percent).^[16] From 2006 to 2018, the U.S. digital economy’s real value added grew at an annual rate of 6.8 percent. It supported 8.8 million jobs, which represented 5.7 percent of U.S. total employment.^[17] In Europe, the value added from the information and communication technology (ICT) sector in 2017 was equivalent to at least 3.9 percent of GDP, 2.5 percent of total employment, and 18.6 and 20.6 percent of the total R&D personnel and researchers in the EU, respectively.^[18] Employment in the EU’s ICT services sector grew by 22.7 percent between 2012 and 2017.^[19] And as of 2020, one of the fastest-growing aspects of the global digital economy, the “app economy,” accounts for over 2 million jobs in the U.S. and EU alike.^[20]

Data and digital trade represent an important and fast-growing part of the global economy.

Traditional trade statistics capture some of the EU-U.S. digital trade relationship, but not all.^[21] The United States is both the largest (non-EU) market for Europe’s digitally enabled services and its largest supplier.^[22] Indicative of this, about half of all data flows in both the United States and Europe are transatlantic transfers.^[23] In 2018, digitally enabled services accounted for the majority of U.S. services exports (55 percent), nearly half of U.S. services imports (48 percent), and a full 69 percent of U.S. global surplus in services.^[24] The U.S. also accounted for 32 percent of exports and 39 percent of imports of digitally enabled services from and to the EU.^[25]

The U.S. Department of Commerce’s ICT and potential-ICT based digital trade data provides the broadest, and most recent, estimate of transatlantic digital trade, which in total, was worth $295 billion in 2018. It captures both ICT services that are used to facilitate information processing and communication (e.g., computer and telecommunication services) and potentially ICT-enabled services that can predominantly be delivered remotely over ICT networks, such as financial, insurance, intellectual property, professional and management services, and R&D services, among others.[26] The data estimates that, in 2018, ICT and potential-ICT based digital trade between the United States and Europe was $188 billion in exports to, and $107 billion in imports from, the EU, respectively (see figure 1).

Figure 1: U.S. exports and imports of ICT and potential ICT-based digital trade with the EU (2018)[27]